b'DEPARTMENT OF HOMELAND SECURITY\n\n   Office of Inspector General\n\n\n Independent Auditor\'s Report on TSA\'s\n\n     FY 2008 Mission Action Plans\n\n\x0c                                                                         Office of Inspector General\n\n                                                                         U.S. Department of Homeland Security\n                                                                         Washington, DC 20528\n\n\n\n                                                                        Homeland\n                                                                        Security\n                                          July 9, 2008\n\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (DIG) was established by\nthe Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThe attached report presents the results of the Transportation Security Administration\'s fiscal year\n2008 Mission Action Plans audit. We contracted with the independent public accounting firm KPMG\nLLP (KPMG) to perform the audit. The contract required that KPMG perform its audit according to\ngenerally accepted government auditing standards. KPMG is responsible for the attached\nindependent auditor\'s report and the conclusions expressed in it.\n\nThe recommendations herein have been discussed in draft with those responsible for implementation.\nIt is our hope that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner\n                                      Inspector General\n\x0c                               KPMG LLP                                                                          Telephone 202 5333000\n                               2001 M Street. NW                                                                 Fax       202 533 8500\n                               Washington, DC 20036                                                              Internet  www.us.kpmg.com\n\n\n\n\nFebruary 22, 2008\n\nMs. Anne Richards\nAssistant Inspector General for Audits\nDepartment of Homeland Security, Office of the Inspector General\n\nMr. David Norquist\nChief Financial Officer\nDepartment of Homeland Security\n\nThis report presents the results of our work conducted to address the performance audit objectives relative\nto the Department of Homeland Security\'s (DHS or the Department) Mission Action Plans (MAPs)\ndeveloped to address the intemal control deficiencies at the U.S. Transportation Security Administration\n(TSA). These deficiencies were identified by management and/or reported in KPMG LLP (KPMG)\nIndependent Auditors\' Report included in the Department\'s fiscal year 2007 Annual Financial Report\n(herein referred to as the "FY 2007 Independent Auditors\' Report").\n\nThis performance audit is the third in a series of four performance audits that the Department\'s Office of\nInspector General (OIG) has engaged us to perform related to the Department\'s fiscal year 2008 MAPs\nthat are contained with the Department\'s Internal Controls Over Financial Reporting Playbook (ICOFR\nPlaybook). This performance audit was designed to meet the objectives identified in the Objectives,\nScope, and Methodology section of this report. Our audit procedures were performed using draft MAPs\nprovided to us on January 4,2008. Interviews with TSA management and other testwork, was performed\nat various times through February 21,2008, and our results reported herein are as of February 22, 2008.\n\nWe conducted this performance audit in accordance with generally accepted govemment auditing\nstandards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings based on\nour audit objectives.\n\nThe performance audit did not constitute an audit of financial statements in accordance with GAGAS.\nKPMG was not engaged to, and did not, render an opinion on the Department\'s or TSA\'s intemal controls\nover financial reporting or over financial management systems (for purposes of Office of Management\nand Budget Circular No. A-I27, Financial Management Systems, July 23, 1993, as revised). KPMG\ncautions that projecting the results of our evaluation to future periods is subject to the risks because of\nchanges in conditions or because compliance with controls may deteriorate.\n\n\n\n\n                                   :<P;\'11G U_P .\'l U S iimiteli li~,I.>IIII}\xc2\xb7 P<llt1ll!iI!,hIP,:5 th" U S\n                                    n2n\'b~r filln .}:- .~;Pr~;G il1~a 1\',"!(1)"11 .~;; \xc2\xb7.i~s \'~Cr)I-\'\'\'\'HI\'\':\'\n\x0cTable of Contents\n\nEXECUTIVE SUMMARY                        2\n\nBACKGROUND                               4\n\nOBJECTIVE, SCOPE, AND METHODOLOGY        5\n\nFINDINGS AND RECOMMENDATIONS             7\n\nMANAGEMENT RESPONSE TO REPORT            9\n\nKEY DOCUMENTS AND DEFINITIONS           10\n\n\n\n\n\n                                    1\n\x0cEXECUTIVE SUMMARY\n\nThe Department of RomelandSecurity (DRS or the Department) has identified weaknesses in internal\ncontrol over financial reporting through its annual assessment conducted pursuant to Office of\nManagement and Budget (OMB) Circular No. A-I23, Management\'s Responsibility for Internal Control,\nand compliance with the Federal Managers\' Financial Integrity Act (FMFIA). Some of the deficiencies\nare material weaknesses identified by DRS\' external fmancialstatement auditor. Beginning in 2006, the\nDepartment launched a comprehensive corrective action plan to remediate known internal control\ndeficiencies. The plan is documented in the Internal Controls Over Financial Reporting Playbook\n(ICOFR Playbook).. The Mission ActionPlan (MAP) is a key element of the ICOFR Playbook that\ndocuments the remediation actions planned for each control deficiency at the DRS component level. The\nMAP provides specific actions, timeframes,key milestones, assignment of responsibility, and the timing\nof corrective action validation.\nThe U.S. Transportation Security Administration (TSA) developed four MAPs to be included in the 2008\nICOFRPlaybook. The MAPs are intended to address control deficiencies identified in General Ledger\nManagement, Property Management,Employee Accrued Leave, and Budgetary Resource Management.\nThe objective of this performance audit was to evaluate and report on the status of the four detailed MAPs\nprepared by the TSA to correct internal control deficiencies over financial reporting described above. We\nconducted our audit in accordance with the standards applicable to such audits contained in the\nGovernmentAuditing Standards, issued by the Comptroller General of the United States. Our audit waS\nperformed using specific criteria to assess the MAP development process used by TSA, and evaluate the\nMAPs submitted by TSA to the DRS Chief Financial Officer to be included in the 2008 ICOFR\nPlaybook.\nThe evaluation criteria were developed from a variety of sources including technical guidancepublished\nby OMB, the.GovernmentAccountability Office, and applicable laws and regulations. We also\nconsidered DRS\' policies and guidance and input from the Office of Inspector General when designing\nevaluation criteria. Our evaluation criteria are:\n    1.\t Identification (of the root cause)-Identification of the appropriate underlying root cause that is\n        causing the internal control deficiencycoridition(s).\n    2.\t Development (of the MAP) - Clear action steps that address the root cause, and a.ttainableand\n        measurable milestones at an appropriate level of detail.\n    3.\t Accountability (for execution of the MAP) - The individual MAP owner is responsible for its\n        successful implementation, ensuring that milestones are achieved and thatthe validation phase is\n        completed.\n    4.\t Verification and. validation- The MAP includes written procedures to verify successful\n        implementation of the MAP,ameans to track progress throughout the MAP Jifecycle, and\n        reporting results when complete.\nWe noted that the TSA has prepared MAPsthat address its known control. deficiencies described above.\nTSA\'sFY2008MAPs were submittedtirnelyto the Department\'s ChiefFinancial Officer toibe included\nthe ICOFRPlaybook.Inaddition, TSAhasimplemented a process to monitor its progress toward\ncompletion of its milestones this year.\nWe also lloted some areas where the MAPs could be improved. Specifically, we noted that the MAP\nmilestones are not clearly linked to root causes. Critical interdependericiesare notidentified within each\nMAP and affected milestones, such as those betweenmilestones, accountingprocesses, and lor with third\nparties (e.g., U.S. Coast Guard information technology(lT) systems). The verification and validation\n(V&V) plans also could be improved byfurther development.\nWerecommended that the TSA revise its MAPs to address these concerns. Specifically, TSA should:\n\n\n\n                                                    2\n\x0c\xe2\x80\xa2    Continue to perform a comprehensive root cause analysis and maintain documentation to support the\n     analysis, including a review of financial IT systems, processes, and humanresources.\n..   Improve.the MAPs by clearly linking each deficiency or root cause identified by management (as well\n     as those identified by the independent auditor) to milestones.\n\xe2\x80\xa2    Identify critical\xc2\xb7interdependencies and include milestones recog"nizing these dependencies.\n\xe2\x80\xa2    IncludeV&V procedures as each critical milestone is completed in order to accurately track the\n     progress of each MAP. V&V should be performed by someone other than the process owner and\n     should be documented for external audit and OMB Circular A-123 support.\n\n\n\n\n                                                     3\n\n\x0cBACKGROUND\n\nThe Department of Homeland Security (DHS or the Department) and the U.S. Transportation Security\nAdministration (TSA) recognize that deficiencies in internal control over financial reporting exist The\ninternal control deficiencies are reported by DHSmanagement in its annual Secretary\'s Assurance\nStatement, issued pursuant to Office of Management and Budget (OMB) Circular No. A-123,\nManagement\'s Responsibilityforlnternal Control. The Secretary\'s Assurance Statement and the findings\nof the external auditor are reported in the Department\'s fiscal year 2007Annual Financial Report (AFR).\nThe conditions causing the .control weaknesses are diverse and complex. The evolution of the\nDepartment\'S mission, programs, component restructuring, and other infrastructure changes has made\nremediation of these control weaknesses very challenging. To meet this challenge, the Department\'s\nSecretary, Chief Financial Officer and financial management in the DHScomponents have adopted a\ncomprehensive strategy to implement corrective actions beginning in fiscal year 2007 and continuing in\nFY2008.\nThe DHS Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office\n(ICPMO) is primarily responsible for the development and implementation of the Department\'s strategy\nto implement corrective action plans. The ICPMO has documented its strategy and other related plans to\nremediate identified internal control deficiencies in the Internal Controls Over. Financial Reporting\nPlaybook{ICOFR Playbook).\nIn 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the\nDepartment enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial\nManagement Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the\nDepartment and its components developed Mission Action Plans (MAP) that describe the corrective\nactions to be implemented. The Department continued to utilize an Electronic Program Management\nOffice (ePMO), a Web-based software application, to manage the collection and reporting of MAP\ninformation.\nThe MAp Guide is applicable to all Department components,including TSA, and outlines the policies\nandprocedures necessary to develop fiscal year 2008 Department MAPs. All components were required\nto submit MAPs,or MAP updates, for any new or existing internal control deficiencies over financial\nreporting, identified by management ortheexternal auditors, for input into to the fiscal year 2008 ICOFR\nPlaybook.\nTo comply with Management Directive 1030 and the MAP Guide, TSA\'s Internal Controls Branch\nprepared four detailed MAPs for fiscal year 2008 to address the internal control deficiencies over\nFinancial .Reporting, Capital Assets and\xc2\xb7 Supplies, Actuarial and Other Liabilities, and Budgetary\nAccounting that contributed to Departmental material weaknesses in the 2007 Independent Auditors\'\nReport. The internal control deficiencies associated with each MAP are summarized below:\n   \xe2\x80\xa2\t General Ledger Management - TSA\xc2\xb7 made .a number of restatements to its prior year financial\n      statements and did noLhave certain policies and procedures in place all fiscal year. It required\n      numerous other onctopadjustments to properly close and report its monthly and annual financial\n      results. TSA required significant additional human resources to perform its year-end general\n      ledger close, prepare financial statements,and respond to audit inquiries ina timely manner.\n   \xe2\x80\xa2\t Property Management ~ TSA maintains extensive capital assets used at airports to screen\n      passengers and .their baggage. It .did not reconcile. its propertysuhsidiary .ledger to its general\n      ledger consistently and tiinelythroughoutFY 2007. TSA had not recorded depreciation on\n      certain equipment using a method that is consistent with U.S. generally accepted accounting\n      principles~ TSA is not recording purchases ofproperty in compliance with the US. Standard\n      General Ledger,and improperlycapitalited certain advance payments as construction in progress.\n\n\n\n\n                                                   4\n\n\x0c   \xe2\x80\xa2\t Employee Accrued Leave ~Apart of TSA\'s employee compensation package includes annual\n      leave, which accrues at varying rates and is based on years ofservice, and related benefits. TSA\n      has not maintained all. of the necessary supporting documentation for accrued annual leave. Also,\n      it has not reconciled annual leave balances earned by employees per the payroll provider\'s output\n      records to the data submitted by TSA and with the general ledger on a routine basis.\n   \xe2\x80\xa2\t Budgetary Resource Management--\'- TSA has substantial obligations and undelivered orders at\n      yearend,primarily for contract services and purchases of equipment. TSA does not have a funds\n      controL process in place to monitor outstanding obligation balances on a periodic basis. It does\n      not have sufficient policies and procedures requiring contract officers to monitor and close-out\n      contracts.\nOBJECTIVE, SCOPE,AND METHODOLOGY\n\nObjective\nThe objective of this performance audit was to evaluate and report on the status of detailed MAPs\nprepared by the TSA to COITect internalcontrol deficiencies over financial reporting. Our evaluation was\nperformed using specific criteria, described in the methodology section below, to assess the process used\ntodevelopanddocument the TSA fiscal year2008 MAPs. We did not evaluate the outcome of the MAP\nprocess or any. corrective actions taken by management during our\xc2\xb7audit, and our findings should not be\nused to project ultimate results from MAP implementation.. Recommendations are provided to help\naddress findings identified during our performance audit.\n\nScope\nThe scope of this performance audit includes TSA\'s FY 2008 MAPs developed to address the Financial\nReporting, Capital Assets and. Supplies, Actuarial\xc2\xb7 and. Other Liabilities, and Budgetary Accounting\ninternal control deficiencies at TSA as reported in the Secretary\'s FY 2007 Assurance Statement and in\nthe FY 2007DHS Independent Auditors\' Report. The MAPs subjected to our performarice audit were\nprovided bythe OCFO,on behalf ofthe TSA, on January 4,2008; The scope of this performance audit\ndid not include procedures on any ofthe MAPs associatedwith other control deficiencies existing at TSA\nas reported in the FY2007 IndependentAuditors\' Report. Interviews with TSA management and other\ntestwork, was performed at various times through February 21,2008, and our tesultsreported herein are\nas of February 22, 2008. \xc2\xb7tSA made certain modifications to. the MAPs after January 4, 2008, some of\nwhich are reflected in the ICOFR Playbook. We considered those modifications in drafting our report,\nhowever,due to the timing of our review, we were unable to perform procedures to verify the validity of\nthose modifications.\n\nMetbodology\nWeconductedthis performance auditin accordance with the standards applicable to such audits contained\nin the Government Auditing Standards, issued by the Comptroller. General of the United States. Our\nmethodol()gyconsistedofthe following four-phased approach:\nProject Initiation and Planning ~ We attended meetings with thy Department\'s Office of Inspector\nGeneral (OIG), OCFO, and TSA to review the performance audit objectives and scope, describe our\napproach, communicate data requests, and gain an understanding of the status of TSA\'s 2008 MAPs.\nData Gathering --\'- We performed interviews with accounting and finance management and staff at TSA\nand aCFO. Through these interviews, we gained an understanding of the process used to develop the\nMAPs,including key inputs and data used, assumptions made, and reasonsforconclusions reached. The\ninterviews focused on the analysis performed by theTSA to identify the underlying problems creatingthe\ninternaLcontrolweakness (root cause) and planned corrective actions, the critical milestones chosen for\nmeasurement, and the methods used to monitor and validate progress in meeting the milestones. We\ndiscussedTSA\'s resource allocation strategy employeciinthe development arid eventual implementation\n\n\n\n                                                    5\n\n\x0cof the MAP, including the utilization of contractors to supplement staff as needed and the use of\nspecialists, if necessary. We also conducted meetings with the Department\'s OIG to identify and agree to\nthe criteria used to evaluate the status, and assess the process used to develop and. document the TSA\nfiscal year 2008 MAPs (as defined below).\nWe perfOlTIled reviews of key documents and supporting information provided to us. Our documentation\nreviews included:\n    \xe2\x80\xa2\t The fourTSA MAPs (i.e., the MAP Detailand Summary Reports)that were included within our\n        scope, and any underlying supporting documentation provided by TSA\n    \xe2\x80\xa2\t The Notice of Findings and Recommendations (NFRs) issueq during the FY 2007 financial\n        statement audit by the external auditors that supported the internal control findings reported in the\n       .FY 2007 Independent Auditors\' Report.\n    \xe2\x80\xa2\t Information provided by TSA management regarding the allocation of resources related to all\n       MAPs, including the utilization of contractors.\n    \xe2\x80\xa2\t The Annual Component Head Assurance Statements\xc2\xb7 provided pursuant to. the requirements of\n        OMB Circular No. A c123.\n    \xe2\x80\xa2\t The ICOFRPlaybook,MD 1030, the MAP Guide, and existing internal. control monitoring\n        guidance (e.g., OMBCircular No. A-123).\nAnalysis Using Established Criteria - Our evaluation criteria were developed from a variety of sources\nincluding technical guidance published by OMB (e.g., Circular No. A-123) and the Government\nAccountability Office (e.g., Standards for Internal Control in the Federal Government), and applicable\nFederal laws and regulations (e.g., Federal Managers\' Financial Integrity Act of 1982). We also\nconsidered DHS\'policies and guidance, such as the MAP Guide and the ICOFR Playbook, and input\nfrom the OIG.Our evaluation criteria are:\n1.\t Identification (of the root cause)~Identification of the appropriate underlying root cause that is\n    causing the internal control deficiency. A comprehensive analysis typically includes a full\n    assessment of the business processes, data flows, and information systems that drive the\n    transactions/activities associated with the accounting process where the internal control deficiencies\n    are believed to exist. A thorough root cause analysis should include:\n    a) Research to discover why, when, and how the condition occurred ~~]Vhat went wrong and why?\n    b) Investigation to determine if the problem is procedural or human resources, or both (processes,\n       and / or peopIe).\n    c) An evaluation to determine if IT system functionality is contributing to the problem, and if IT\n       system modifications could be part of the remediation.\n    d) An evaluation of internal controls, including Jheexistence of compensating controls that may\n       mitigate the deficiency.\n    e) An evaluation to determine if third parties (e.g. accounting services provider) are contributing to\n       the problem.\n2.\t Development (of the MAP) ~ The MAP includes action steps that address the rOQtcause, and\n    attainable and measurable milestones at an appropriate level ofgranularity. Milestones should enable\n    independent analysis of a MAP\'s effectivenessin remediation of root causes and provide MAP users\n    with insight on the status of the MAP\'s implementation. For example, they should enable a user to\n    determine if the appropriate level ofresourcestb execute a milestone is available and identify\n    potential gaps in milestones (e.g., a contractor may need to be hired before a specific milestone can be\n    achieved).\n3.\t Accountability (for <execution of the MAP) ~ Accountability for the MAP is clearly identified and\n    assigned. The individual MAP owner is responsible for its successful implementation, ensuring that\n    milestones are achieved,andvalidationof results.\n\n\n\n                                                     6\n\x0c4.\t Verification and Validation - the MAP includes written procedures that verify successful\n    implementation of the MAP, provide a means to track progress throughout the MAP lifecycle, and\n    require reporting of results when complete. These activities should include documentation reviews,\n    work observations,and performance testing that are maintained for internal OMB Circular No. A~123\n    review and external audit.\nResults - Findings and Recommendations ~ After conducting our analysis and applying the evaluation\ncriteria to the MAPs, we formulated our findings andrecommendations. The findings represent areas for\npotential improvement that could negatively affect TSA\'s remediation of the control deficiencies if the\nMAP is executed as designed.\n\nFINDINGS AND RECOMMENDATIONS\n\nFindings\nTSA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. The MAPs address\neach of the four primary processes where control deficiencies existed at the end of fiscal year 2007. The\nGeneral Ledger, Budgetary Resource and Property Management MAPs were updates to MAPs prepared\nin previous years (dating back to fiscal year 2005). The Employee Accrued Leave MAP was prepared in\nresponse to anew control weakness identified in fiscal year 2007. TSA\'sfiscal year 2008 MAPs Were\nsubmitted timely to the Department\'s Chief Financial Officer. In addition, TSA has implemented a\nmonitoring process, including periodic meetings to discuss the status of the MAPs and the related\nmilestones.\nTSA\'s documentation of its root cause analysis was limited to the information provided on the MAP.\nConsequently, our reviewofTSA\'s work supporting its MAP was limited to reading the MAP, comparing\nthe information to the DHSFY2007 Independent Auditors\' Report, and inquiring of various TSA\npersonnel and management. We were unable to verify, through the documentation made available to us,\nthat the remediation plans address all potential causes of the control deficiencies. However, basedonour\ninquiries with TSA personnel, we determined that TSA was knowledgeable of the MAP.\xc2\xb7 Guide,\nperformed a review to determine the source and cause of control deficiencies, and incorporated the results\ninto the individual MAPs in the form of milestones.\nOur findings were:\n    \xe2\x80\xa2\t   Three of the MAPs, i.e., General Ledger, Property, and Budgetary Resource Management, do not\n         adequately define the control deficiencies being corrected and/or the purpose of the MAP. The\n         Issue Description section does not clearly define the underlying issues or problems that were\n         identified\xc2\xb7 during the root cause analysis, or lead the reader to the corrective actions (e.g.,\n         milestones). In some cases, known problems do not have corresponding milestones (e.g., a\n         milestone to address the lack of documentation supporting employee leave balances).\n    \xe2\x80\xa2\t   The financial statement assertion sections of the MAPs were not complete at the time of our\n         audit,and consequently, the MAP milestones are not linked to the financial statementass~rtions\n         (e.g., completeness, accuracy, and existence)affectedby the controlweaknesses. However, we\n         noted that the financial statement assertion sections were completed in subsequent versions of the\n         MAPs provided by TSA to the OeFO on January 18, 2008, which were included in the !COFR\n         Playbook.\n    \xe2\x80\xa2\t   The milestone steps are not clearly linked to root causes. As aresult, we could not determine\n         how the milestonesr~lated to the issues identified and root causes, or if the milestones listed in\n         the TSA MAP sufficiently addressed aU root causes and corresponding control deficiencies.\n                                                                                              \\\n\n\n\n\n                                                     7\n\x0c    \xe2\x80\xa2\t   Although not required by the DHS CAP Guide, critical interdependencies are not identified\n         within each MAP and affected milestones. We identified three interdependencies that should be\n         considered in each MAP:\n                 Interdependencies between milestones (e.g., defining new staff responsibilities (#1.17.4 \xc2\xad\n                 4/2008) should follow Human Resource approval (#1.17.2 - 7/2008) in the Budgetary\n                 Resource MAP);\n                 Interdependencies between accounting processes (e.g., general ledger and budgetary\n                 processes); and\n                 Interdependencies with third parties (e.g., U.S. Coast Guard (USCG), TSA\'s accounting\n                 services provider).\n         The MAP does not address the interdependencies with other Departmental control deficiencies, or\n         the degree of reliance between MAPs. For example, to successfully implement the General\n         Ledger Management MAP, it may be necessary for TSA to meet milestones and correct\n         underlying conditions identified in other MAPs related to financi<il reporting and/or the IT\n         processes, or for the USCG to implement corrective actions. Control deficiencies identified at the\n         USCG may be particularly relevant since TSA\'s general ledger is maintainedou USCG\'s IT\n         systems. We noted thatthe Dependencies sections of the MAPs were completed in subsequent\n         versions of the MAPs provided by TSA to the OCFO on January 18, 2008. However, milestones\n         were not updated to cross-reference corrective actions or milestones with dependencies. Full\n         remediation of TSA\'s control deficiencies may require the .correction of other related control\n         deficiencies, andloradvances made by other components in correcting their materialweaknesses.\n   \xe2\x80\xa2\t    We noted the following matters related to the verification and validation (V&V) phase outlined in\n         theTSA MAPs. TheV&V processes:\n                Are not consistently documented across each MAP. While generalV&V procedures have\n                been developed that apply to all MAPs and three ofthe MAPs include specific V&V\n                procedures, the Employee Accrued Leave MAP does not include specific V&V\n                procedures to test. whether milestones have been successfully implemented. Instead, it\n                includes outcomes that, if achieved, will indicate that corrective actions have been\n                implemented;\n                Are deferred until the end of the MAP instead of incrementally throughout the MAP\n                process. However,preliminary testing procedures are performed on an ad-hoc basis. For\n                those milestones in which preliminary testing procedures are not performed, validation is\n                limited to a weekly review of the milestone progress; and\nRecommendations\nWerecommend that the TSAperform the following to address our findings.\n1.\t Continue to perform a comprehensive and thorough root cause. analysis and maintain documentation\n    tosupportthat an analysis was performedto identify the underlying caus.es ofthe control deficiencies,\n    including areview of financialITsystems, processes, and human resources.\n2.\t Improve the MAPs as follows:\n   a)\t Link the milestones to identified root causes and/orftnancial statement assertions. This will help\n       ensure. that . corrective actions are comprehensive, addressing each of the. issues, and that\n       completion of the milestones will allow management to make all. financial statement assertions;\n       and\n   b)\t Identify critical interdependencies and include specific milestones to recognize instances where\n       the successful implementation of.a MAP depends on corrective actions in other accounting\n\n\n\n                                                     8\n\x0c       processes or by third parties, and cross-reference totheothercon\xc2\xb7ectiveaction(s). This will help\n       with planning and help avoid unexpected interruptions to progress.\n3.\t Develop V&V procedures to be performed as each critical milestone becomes complete, and involve\n    actualtestingof controls/processes, in order to accurately track the progress of each MAP. V&V\n    procedures should be performed by someone other than the process owner and should be documented\n    for external audit and OMB Circular No. A-123 support.\n\nMANAGEMENT RESPONSE TO REPORT\n\nManagement has prepared an official response presented as a separate attachment to this report. In\nsummary, management agreed with our findings and its comments were responsive to our\nrecommendations. We did not audit management\'s response and, accordingly, we express no opinion on\nit.\n\n\n\n\n                                                  9\n\n\x0cKEY DOCUMENTS AND DEFINITIONS\n\nThis section provides key definitions and documents forthe purposes of this report.\n\nThePederal Managers\' Financial IntegritvAct (FMFIA) requires that Executive Branch Federal agencies\nestablish andmaintain an effective iriternal contFolenvironmentaccording to the standards prescribed by\nthe Comptroller General and specified in the Government Accountability Office\'s (GAO) Standards for\nInternal Control in the Federal Government. In addition, it requires that the heads of agencies to\nannually evaluate and report on the effectiveness of the internal control and financial management\nsystems.\n\nGAO\'s Standards forlnternal Control in the Federal GovernmendStandards) defines internal control as\nan integral component of an organization\'s management that provides reasonable assurance of:\neffectiveness and efficiency of operations, reliability of financial reporting, and compliance with\napplicable laws and regulations.\n\nThe Department of Homeland Security Financial Accountability Act (the DRS FAA) designates the\nDepartment\'s Chief Financial Officer (CFO),under\xc2\xb7 the authority of the Secretary, as the party responsible\nfotthe designand implementation of Department\xc2\xb7wide internal controls. Furthermore, the DHS FAA\nrequires that a management\'s. assertion and an audit opinion of the internal controls over financial\nreportingbe included in the Department\'s annual Performance and Accountability Report.\n\nOffice of Management and Budget (OMB) Circular No. A-123, Management\'s Responsibility for\nInternal Control, provides guidance on internal controls and requires agencies and Federal managers to\nI) develop atid implement management controls; 2) assess the adequacy of management controls; 3)\nidentify needed improvements; 4) take corresponding corrective action; and 5) report annually on\nmanagement controls. The successful implementation of these requirements facilitates compliance with\nboth FMFIAand the DHS FAA.\n\nOffice of Management and Budget (OMB) Circular No. A-127, Financial Management Systems,\nprescribes policies and standards for executive departments and agencies to follow in developing,\noperating, evaluating, and reporting on financial management systems. The successful implementation\nof these requirements facilitates compliance with both FMFIA andtheDHSFAA.\n\nInternal Control Deficiencies -- A control. deficiency exists when the design or operation of a control\ndoes not allow management or employees, .in the normal course of perfOlming their assigned functions,\nto prevent or detect misstatements on atimely basis; A significant deficiency is a control deficiencY,or\ncombination of control deficiencies, that adversely affects DHS\' ability to initiate,authorize, record,\nprocess, or report financial data reliably in accordance with U.S. generally accepted accounting\nprinciples suchthatthete is more than a remote likelihood that a misstatement of DRS\' financial\nstatements that is more than inconsequential\'Nillnot be prevented or detected by DHS\' internal control\nover financial reporting. A material weakness is a significant deficiency, or combination of significant\ndeficiencies, that results in more than a remote likelihood that a material misstatement\xc2\xb7 of the financial\nstatements will not be prevented or detected by DRS\'internalcontrol.\n\nManagement Directive (MD)1030,CorrectiveAction Plans, establishes the "Department\'s vision and\ndirection on the. roles and responsibilities for developing, maintaining,reporting; and monitoring MAPs\nspecific to the DHSPinancialAccoul1tability Act, PMFlA, and related OMRgllidance." In addition tothe\nroles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The\n\n\n\n\n                                                    10\n\n\x0corganizational structure detailed in MD 1030 encompasses employees at both the component and\ndepartment levels.\n\nThelnternal Controls Over Financial Reporting (ICOFR) Playbook (ICOFR Playbook) was developed\nby the. OCFO, Internal Control Program Management Office, to assist the Department in meeting the\nfinancial accountability requirements outlined in the DRS FAA. The ICOFR PlaYbook outlines the\nDepartment\'s "strategy and process to resolve material weaknesses and build management aSSUrances."\nOn an annual basis, the ICOFRPlaybook is updated by the OCFO to enhance its exiting guidance,as\nnecessary, and establish milestones, which will be monitored by the OCFO throughout the year. A\ncomponent of the ICOFRPlaybook is MAPs developed by the Department and its components to correct\ninternal control deficiencies.\n\nThe Mission Action Plan Guide. Financial Management Focus Areas FiscalYear 2008 (MAP Guide)\noutlines the policies and procedures to be used to develop MAPs throughout DRS, pursuant to the roles\nand responsibilities established by the DRS Management Directive (MD) 1030, Corrective Action Plans.\nThe MAP Guide applies to all Department Components\' and Offices (e.g., OFM) where a control\ndeficiency has been identified. Note non-confonnances related to the Federal Information Security\nManagement, Act (FISMA), are under the purview of the Department\'s Chief Information Security\nOfficer\'s Plan ofAction and Milestones (POA&M) Process Guide.\n\nElectronic Program \'Management, Offic.e (ePMO) is a Web-based software application the OCFO\ndeployed to manage the collection and reporting of MAP infonnation.\n\nMission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the\nremediation of internal control deficiencies identified by management or by external parties. MAP\ndocumentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP\nDetailed Report that are required to be submitted to the OCFO through ePMO. Below are brief\ndescriptions of the MAP Summary and MAP Detailed Reports,based on the ePMO MAP Reports Quick\nGuide contained in the MAP Guide:\n\n    \xe2\x80\xa2\t The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency\n       conditions), results of the root cause analysis perfonned, relevant financial statement assertions\n       affected by the issue, key strategies and performance meaStlres, resources required, an analysis of\n       the risks and impediments as seen by management, verification and validation methods,and the\n       critical milestones to be achieved.\n    \xe2\x80\xa2\t The MAPDetailed Report provides additional data on the milestones, not onlyon those identified\n       as critical but also those sub-milestones under a critical milestone. For each milestone (critical or\n       sub), the following data is reflected: due date, percentage of completion,status (e.g., NotStarted,\n       Work in Progress and Completed), and the responsible and assigned parties.\n\nTheDepartment\'s AnnualFinancialReport (DRS AFR)wasissued on November 15,2007 and>consists\nofthe Secretary\'s Message, Management\'s Discussion and Analysis, Financial Statements and Notes, an\nIndependentAuditors\' Report, MajorManagementChallenges, and other required infonnation. Tile AFR\nwas prepared pursuant to OMBCircularNo. A-136, FinancialReportingRequirements.\n\n\n\n\n                                                    11\n\n\x0c                                                                     U.S. Department of Homeland Security\n\n                                                                     Office of Finance and Administration\n                                                                     60 I South 121h Street\n                                                                     Arlington, VA 22202-4204\n\n\n                                                                    \'Transportation\n                                                                    Security\n                                                                    l\\dba1inistration\n  MAY 2 3 2008\n\nMs. Anne L. Richards\nAssistant Inspector General for Audits\nDepartment of Homeland Security\n245 Murray Drive SW, Building 410\nWashington, DC 20528\n\nDear Ms. Richards:\n\nThis letter responds to KPMG\'s audit of the Transportation Security Administration (TSA) Fiscal\nYear (FY) 2008 Mission Action Plans (MAPs) as reported in the Draft Reporf Independent\nAuditor\'s Report on TSA \'s FY 2008 Mission Action Plans dated May 6, 2008. The report notes\nTSA\'s development of four Mission Action Plans (MAPS) to correct internal control deficiencies\nover financial reporting.\n\nWe concur with KPMG\'s findings and will be incorporating the recommendations noted in the report.\nOn behalf of Assistant Secretary Hawley, I would like to express my appreciation for the efforts of\nyour staff and the KPMG team in completing this audit.\n\n\n                                           Sincerely,\n\n\n\n\n                                           Davl        lcnolson\n                                           Assistant Administrator and Chief Financial Officer\n                                           Office of Finance and Administration\n\n\n\n\nFile Code: 1000.1.0                                                                          www.tsa.goy\n\x0cReport Distribution\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nUnder Secretary for Management\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nChief Financial Officer\nChief Information Officer\nChief Privacy Officer\nDHS GAO/OIG Audit Liaison\nAssistant Secretary for Transportation Security Administration\nTSA Assistant Administrator and Chief Financial Officer\nTSA OIG Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHSOIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriation Committees, as appropriate\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'